Through The Employer Report blog, our lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers.

Many digital advertising arrangements that companies commonly use may qualify as “selling” or “sharing for cross context behavioral advertising” personal information under the California Consumer Privacy Act in California and laws in a few other US states (Nevada, Virginia, Colorado, Connecticut, Utah). Businesses state in their online privacy disclosures whether they sold or shared personal information in the last 12 months and whether they will sell or share personal information. Businesses that “sell” or “share” personal information, or use or disclose consumers’ sensitive personal information for non-exempt purposes have to treat user-enabled global privacy controls as a valid opt-out request.

Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes employee and business representative data from its scope.

On 1 January 2023, the California Consumer Privacy Act as revised by the California Privacy Rights Act will take effect fully in the job applicant and employment context.
And with respect to job applicants and personnel, businesses subject to the California Consumer Privacy Act will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply.

We would like to cordially invite you to our hybrid briefing “Crossroads between Employment Law and Data Protection” on 5 December 2022. It will take place both on-site in our Baker McKenzie office in Berlin and globally online.

Businesses that have implemented measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Colorado Privacy Act (CPA). However, the CPA, and the recently published proposed CPA Rules, contain certain unique and prescriptive requirements that may warrant taking a CPA-specific approach to compliance. How the finalized CCPA regulations and CPA Rules look will largely dictate whether companies will need to expand or change the scope of their privacy compliance measures to meet the obligations set forth under both California’s and Colorado’s privacy regimes.

Businesses that have implemented compliance measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage existing compliance mechanisms designed to comply with the CCPA to satisfy requirements under the Utah Consumer Privacy Act, which will become operative on 31 December 2023.

Businesses that have implemented compliance measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage existing vendor contract terms, website disclosures and data subject right processes to satisfy requirements under Nevada’s Revised Statutes Chapter 603A. Most companies will not need to expand the scope of CCPA-focused privacy notices because the Nevada laws are much more narrowly framed. But, companies may find it operationally efficient to broaden the scope of opt-out rights if they engage in data sharing practices that qualify as “selling” of personal information, for example, in the context of digital advertising.

Through The Employer Report blog, our lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers.

Lothar Determann, Baker McKenzie Partner and UC Berkeley School of Law Professor, recently joined Helen Dixon, Data Protection Commissioner for Ireland, to present at the Berkeley Center for Law and Technology during Berkeley Law’s IP & Tech Month.
Lothar and Helen provided a year-in-review of international privacy for US practitioners, focusing on the EU and GDPR as well as how other countries are protecting privacy and regulating data.